After the introduction of Data Execution Prevention (DEP) into various operating systems, attackers have resorted to various techniques for executing existing code to perform malicious or unauthorized actions. A common target for attackers is the execution of privileged (e.g., “Ring 0”) code, such as operating system (OS) kernel code, which may be executed in a computing system at the highest levels of privilege, For instance, one attack technique involves the use of existing sections of privileged code and exploiting ROP (Return Oriented Programming) to chain “gadgets”—pieces of privileged code already loaded into memory—to form an attack that needs privileged permissions.
In modern computers, software is written in terms of a virtual space, with use of virtual addresses. An attacker therefore has to know the address of the “gadgets” that they intend to use, in their own virtual space. Computing systems have attempted to protect against ROP and similar attacks through techniques such as Kernel Address Space Randomization (KASLR). KASLR is a feature of modern OSs, designed to deny knowledge of where potential “gadgets” are located within the processes' virtual address space, thus preventing ROP and similar attacks. However, attacks have been developed to defeat address randomization techniques and locate the addresses of privileged (e.g., “Ring 0”) code in virtual memory, and code and data from other application (e.g., “Ring 3”) processes. These attacks make use of the fact that, for performance reasons, the kernel maps itself into the process' virtual address space.